Risk-based authentication
17.4.1.15. Risk-based authentication (role derivation)

In role-based access control (RBAC) schemes, access to a resource is granted if the accessing user has the required roles to do so.

Attribute-based access control (ABAC) generalizes the concept of RBAC by including various attributes, e.g., user profile data or contextual information, in its access decision process.

Risk-based authentication further extends ABAC by estimating the "security risk" a user is exposed to during a login process.

The authentication policies are adapted based on the perceived risk. For instance, if a user always logs in from the same browser or from within a company network, weak authentication (typically username and password) may be sufficient, because the user's environment is considered to be trusted. However, if a login attempt originates from an unexpected geographical location or occurs at an unusual time of day, a second authentication factor (e.g. mTAN) may be enforced.